Share this story

The resignation of Gen. David Petraeus began, we all now know, with Gmail. Petraeus' biographer and reported mistress Paula Broadwell apparently regarded Tampa socialite and Petraeus friend Jill Kelley as a romantic rival, and she e-mailed Kelley from an anonymous Gmail account, warning her to stay away from the general. Kelley turned those e-mails over to the FBI, which began investigating who was behind the messages and eventually identified Broadwell as the owner of the account.

The FBI gained access to Broadwell's anonymous e-mail account. Inside, they found evidence that Broadwell and Petraeus had exchanged racy messages by storing them in Gmail's "drafts" folder.

The Broadwell saga illustrates just how vulnerable our e-mail is to warrantless government snooping, noted by privacy researcher Chris Soghoian in a post at the ACLU blog. We don't yet know exactly what legal procedures the FBI invoked to get information about Broadwell's online activities. But alarmingly, most of the information the FBI reportedly obtained in the course of its investigation would not have required any judicial oversight.

Warrantless access to non-content information

To conceal her identity, Broadwell avoided accessing the account from her home Internet account. Instead, she accessed it from publicly available WiFi connections.

Yet these steps proved insufficient to hide her identity. A source told NBC that it "took agents a while to figure out the source. They did that by finding out where the messages were sent from—which cities, which Wi-Fi locations in hotels. That gave them names, which they then checked against guest lists from other cities and hotels, looking for common names."

Similarly, the New York Timessays that agents "had to use forensic techniques—including a check of what other e-mail accounts had been accessed from the same computer address—to identify who was writing the e-mails."

Soghoian points out that under current law, all of this information—what IP addresses were used to identify a particular Gmail account, which other accounts were accessed with the same IP address, who stayed in a particular hotel on a particular date—can be obtained with a simple subpoena. That means there's no judicial oversight unless the recipient of the subpoena objects.

"There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press)," Soghoian notes.

Draft-y security

Not only did Broadwell try to hide her identity by creating an anonymous e-mail account, she also reportedly sought to avoid having her e-mails to Petraeus intercepted by not sending them at all. Instead, she and Petraeus shared the password to the e-mail account, and would leave messages for each other in its "drafts" folder.

This is not a new technique. Terrorists such as Khaled Sheikh Mohammed have used this method to evade surveillance. Yet ironically, using the technique may actually make your communications more susceptible to government snooping.

"The Department of Justice has argued that e-mails in the 'draft' or 'sent mail' folder are not in 'electronic storage' (as defined by the Stored Communications Act), and thus not deserving of warrant protection," Soghoian notes. "Instead, the government has argued it should be able to get such messages with a mere subpoena."

The weak privacy protection for metadata and draft e-mails are two examples of a broader problem: the rules governing law enforcement access to e-mail are extremely murky, and do not adequately safeguard online users' privacy rights. Law enforcement access to e-mail is governed by the 1986 Electronic Communications Privacy Act, which has long since started to show its age. The ECPA requires a warrant to obtain freshly sent e-mail before it's been opened by the recipient. But once an e-mail has been opened, or once it has been sitting in the recipient's e-mail box for 180 days, a lower standard applies. These rules simply don't line up with the way modern e-mail systems work.

Meanwhile, current legal precedents cast doubt on whether the Fourth Amendment's guarantee against unreasonable searches applies to cloud-based e-mail services at all. A legal principle called the Third Party Doctrine suggests that users give up their Fourth Amendment rights when they entrust their information to third parties such as Google. Justice Sonia Sotomayor has expressed skepticism about the Third Party Doctrine, suggesting that the Supreme Court might overrule it at some point in the future. But in the meantime, the government appears to have significant powers to rifle through information we entrust to cloud service providers like Google.